On Wed, Aug 27, 2014 at 04:03:55PM -0500, Jamie Strandboge wrote: > On 08/27/2014 02:56 PM, Steve Beattie wrote: > > On Mon, Aug 25, 2014 at 05:06:07PM -0700, john.johan...@canonical.com wrote: > >> This patch implements parsing of fine grained mediation for unix domain > >> sockets, that have abstract and anonymous paths. Sockets with file > >> system paths are handled by regular file access rules. > >> > >> the unix network rules follow the general fine grained network > >> rule pattern of > >> > >> [<qualifiers>] af_name [<access expr>] [<rule conds>] [<local expr>] > >> [<peer expr>] > >> > >> specifically for af_unix this is > >> > >> [<qualifiers>] 'unix' [<access expr>] [<rule conds>] [<local expr>] > >> [<peer expr>] > >> > >> <qualifiers> = [ 'audit' ] [ 'allow' | 'deny' ] > >> > >> <access expr> = ( <access> | <access list> ) > >> > >> <access> = ( 'server' | 'create' | 'bind' | 'listen' | 'accept' | > >> 'connect' | 'shutdown' | 'getattr' | 'setattr' | > >> 'getopt' | 'setopt' | > >> 'send' | 'receive' | 'r' | 'w' | 'rw' ) > >> (some access modes are incompatible with some rules or require additional > >> parameters) > >> > >> <access list> = '(' <access> ( [','] <WS> <access> )* ')' > > > > So I'm testing a bit with this patch and it seems that the patch doesn't > > implement this exactly. Currently, the parser does not accept the following: > > > > unix send, > > unix receive, > > unix server, > > unix (server), > > > > Implementing the latter two requires a bit of complexity that I wasn't > > prepared to tackle at this moment. The following patch adds support > > for the first two, as well as adding a bunch more simple acceptance > > tests for the various access keywords. > > > > Signed-off-by: Steve Beattie <st...@nxnw.org> > > Note, 'server' isn't documented in the man page either. Perhaps we can add > 'server' later?
Yes. At least on my priority list, it's pretty low. A nice to have feature, but not critical. -- Steve Beattie <sbeat...@ubuntu.com> http://NxNW.org/~steve/
signature.asc
Description: Digital signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor